Understanding Advanced Threats

Distinguish between basic and advanced tactics used by attackers

•Understand why traditional security defenses are inadequate for mitigating advanced attacks

•Explore the life cycle of a targeted attack

Over the last decade, threat actors have grown in both number and sophistication. A decade ago, you could count on your perimeter intrusion prevention system (IPS) and your host-based antivirus (AV) software to defend your organization against data breaches. These days, malware associated with advanced threat campaigns sails past these traditional security defenses like they aren’t even there.But what makes advanced attacks unique? And why are traditional defenses so inept at detecting them?

This chapter explores the key differences between basic and advanced tactics used by threat actors and describes why traditional security defenses fall short. It also explores the life cycle of targeted attacks so you can better recognize their telltale signs. This chapter concludes by introducing the key components of modern advanced threat protection solutions. It describes why each of the components is pivotal to mitigating threats at both the perimeter and on endpoints.

Reviewing Modern Cyberthreat Tactics

Attackers use a range of tactics to achieve their objectives. In most cases they will take the path of least resistance. That means using tactics that are good enough to get them in the door. When the target is more heavily fortified, attackers typi-cally employ more-advanced tactics. Let’s dive in and understand the range of tactics used by today’s threat actors.

Basic threat tactics

Simply put, basic threat tactics are easier for traditional perimeter- and host-based cybersecurity defenses to detect. These threats target known operating system and application vulnerabilities and can often be identified with pattern-match-ing signatures.Let’s proceed by exploring some of these basic threat tactics that have been a nuisance to IT for many years.

Worms, Trojans, and viruses

A worm is a malware program that replicates itself — typically through vulnerabilities in operating systems — over a network in order to propagate. Worms typically harm networks by consuming bandwidth, but also provide a “lateral” attack vec-tor that may infect supposedly protected internal systems or exfiltrate data. Unlike a computer virus, a worm can propagate from host to host on its own.

A Trojan (or Trojan horse) typically masquerades as a helpful software application, with the ultimate purpose of tricking a user into granting access to a computer. Trojans may self-replicate within the infected system, but cannot propagate to other vulnerable computers on their own; they typically join networks of other infected computers (called botnets; see next section) where they wait to receive further instructions, and into which they submit stolen information. Trojans may be delivered by means of spam email or social media, or may be disguised as a pirated installer for a well-known game or application.

A virus is malicious code ranging in severity from mildly annoying to completely devastating. By attaching itself to a program or file, it spreads from one computer to another, leaving infections as it travels. However, unlike a worm, a virus can’t travel without human action.

Spyware and botnets

Spyware is software that gathers user information through an Internet connection without the user’s knowledge, usually for advertising purposes (called adware, which displays pop-up ads), but sometimes to steal confidential information such as usernames, passwords, and credit card numbers.

Spyware applications are typically bundled as a hidden component of shareware or freeware programs downloaded from the Internet. Once installed, the spyware monitors user activity and then covertly transmits that information in the back-ground to someone else.

TECH TALKA botnet is a collection of compromised Internet-connected computers on which malware is running. Each compromised device is called a bot (or zombie), and the human controlling a botnet is called the bot herder (or botmaster). Command and control of a botnet typically involves web servers (called com-mand-and-control or CnC servers) operated for the specific purpose of controlling bots, though some older botnets are directed by the bot herder using Internet Relay Chat (IRC). Bots are often used to launch denial-of-service attacks, relay spam, store stolen data, and/or download additional malware to the infected host computer.

Phishing attacks

Social engineering attacks — such as phishing and baiting — are extremely common. These attacks, when successful, can lead to much broader, more-sophisticated cyberattacks. Phishing is an attempt to acquire information (and, indirectly, money) such as usernames, passwords, and credit card information, by masquerading as a trustworthy entity in email communication. After clicking on a (seemingly innocent) hyperlink, the user is directed to enter personal details on a fake website that looks and feels almost identical to the legitimate one.

Unlike spear phishing, which is a tactic used for advanced targeted attacks, phishing is opportunistic. A single, generic email is sent to hundreds or sometimes thousands of recipients.Baiting occurs when a criminal casually drops a USB thumb drive or CD-ROM in a public area like a lobby, parking lot, or cyber cafe. This drive or disc is labeled with words such as “executive compensation” or “company confidential” to pique the interest of whoever finds it. When the victim accesses the media, it installs malware on his computer.

Advanced threat tactics

In contrast to some of the basic tactics outlined above, advanced threat tactics are difficult – if not impossible – for traditional signature-based defenses to detect. They are often highly customized and designed to compromise specific targets. And although most tactics — basic and advanced — exploit known vulnerabilities, some advanced tactics are crafted to exploit vulnerabilities that are unknown to the general public. (More on that later.)

Let’s now explore various types of advanced tactics that are keeping security professionals lying awake at night.

Customized malware

The simplest way to evade traditional security defenses is to customize malware for each attack. This is surprisingly easy. By changing a single parameter using an off-the-shelf exploit kit, attackers can customize malware to exploit a known vul-nerability in such a way that makes it virtually undetectable by threat-based signatures.

Drive-by downloads

These days, you don’t have to actively download a file from the Internet to become infected with malware. Simply visiting or “driving by” a website without stopping to click on anything can result in a compromised endpoint. A drive-by download usually exploits an unpatched web browser. Sometimes websites designed to deliver drive-by payloads are owned and maintained by a cybercriminal. Other times, attackers compromise perfectly legitimate websites to increase the chances of victimizing a host.

Watering hole attacks

A watering hole attack is performed when an attacker com-promises a website that is frequently visited by users of an organization that he or she is targeting. The attacker inserts code into the website that results in malware infection. Once infected, the user’s host will typically connect to a CnC server to obtain further instructions by the attacker.

Spear phishing attacks

A spear phishing email is just like a phishing email except it is carefully constructed to target an individual person or group of people employed by an organization of interest. Attackers frequently use social media sites, such as LinkedIn and Facebook, to construct carefully crafted emails that appear to be sent from trusted friends or colleagues. Opening a malware-infected email attachment or clicking on a malicious embedded link can cause the victim’s computer to become compromised.

Spear phishing is one of the most common tactics attackers use to initiate an advanced targeted attack.

Zero-day attacks

A zero-day attack occurs when an attacker exploits an operat-ing system or application vulnerability that is not generally known to the public. This tactic gets its name from the fact that the attack was launched on (or increasingly before) “day zero” of public awareness of the vulnerability — and, in many instances, before the vendor itself was even aware. In some instances, the vendor is already aware of the vulnerability, but hasn’t disclosed it publicly because the vulnerability hasn’t yet been patched.

Zero-day attacks are extremely effective because they can go undetected for long periods (usually several months but some-times a couple of years), and when they are finally identified “in the wild,” patching the vulnerability can still take days or even weeks.

Thanks to Steve Piper, CISSP, Fireeye.com